HOME RSS  Twitter 
<< Quantum Pajamas   Mystery DLL Strikes Again >>  

NvRaser.dll - Mystery File ...

So last night my computer ALMOST got slammed with a trojan pretty hard. I started seeing alerts come up from Norton Internet Security that a Trojan was blocked, and then 10 seconds later another such alert came up... My normal procedure when this starts to happen is to immediately cut the power to my computer, reboot into Safe Mode and run a full system virus scan.

Lo and behold Norton found an infected file, and required a reboot to complete the repair. So between the system scan, a reboot for Norton, and a second reboot for ChkDisk, it took several hours to finish.

Upon going back into Windows everything (for the most part) seemed to be running well. I did, however, notice a strange entry in the startup area of the registry that just would not go away. As soon as I deleted it, it would reappear. I wish I had written the entry down, but as far as I can remember it was calling 'rundll32.exe c:\windows\nvraser.dll /startup' ... To get rid of this I simply terminated the rundll32.exe process and then purged the registry entry. There were also numerous files created in the Temp folder of Local Settings, all around the time of the infection. I killed all of them.

So I am happy to say that I dodged a major bullet LOL. Now all that remains is a mystery DLL file which I renamed and hijacked to my Desktop for further inspection. What baffles me is that there appears to be ZERO information anywhere about NvRaser.dll. I tried Google, Bing, Yahoo, and none of them return any results! WTF ??!

I used PE Explorer's disassembler to see if I could get any clues as to the use of this file, but unfortunately am quite inexperienced at the bit level machine language. Here are some (extremely vague) clues:

; Imports from KERNEL32.dll
    extrn CloseHandle
    extrn ExitProcess
    extrn FileTimeToSystemTime
    extrn GetACP
    extrn GetCommandLineA
    extrn GetModuleHandleA
    extrn GetOEMCP
    extrn GetStartupInfoA
    extrn HeapAlloc
    extrn HeapCreate
    extrn HeapReAlloc
    extrn InterlockedDecrement
    extrn MulDiv
    extrn MultiByteToWideChar
    extrn PulseEvent
    extrn ReadFile
    extrn ReadProcessMemory
    extrn ResumeThread
    extrn RtlUnwind
    extrn SetLastError
    extrn SetUnhandledExceptionFilter
; Imports from msvcrt.dll
    extrn exit
    extrn _except_handler3
    extrn rand
    extrn __getmainargs
    extrn __p__commode
    extrn __p__fmode
    extrn __set_app_type
    extrn fprintf
; Imports from user32.dll
    extrn GetSubMenu
    extrn wsprintfA
    extrn EndPaint
    extrn SetTimer
; Imports from winmm.dll
    extrn timeGetTime
    extrn joySetCapture
    extrn joyGetThreshold
    extrn joyGetNumDevs
    extrn joyGetDevCapsW
    extrn joyGetDevCapsA
    extrn waveOutGetNumDevs
; Imports from ole32.dll
    extrn CoCreateInstance
    extrn CoFileTimeNow
    extrn CoCreateGuid
    extrn CoBuildVersion
    extrn StringFromGUID2
    extrn CoTaskMemAlloc
    extrn CreateAntiMoniker
; Imports from SHLWAPI.dll
    extrn StrTrimA
    extrn StrToIntA
    extrn StrStrW
    extrn PathStripPathA

I think I might need to defer to my good friend and Computer Forensics Expert to see if any other clues can be found. My guess at this point is that NvRaser.dll was to be referenced by one of the malicious (randomly named) executable files residing in the Temp folder, or the infected file in the Windows directory.

I am archiving this mystery file, so if anybody wants a copy just let me know and I'll be happy to send it over!

Monday, May 24 2010 4:46:08 PM in Computing

Related Posts:
Mystery DLL Strikes Again 5/31/2010 8:33:54 PM


Home Page
Nintendo 3DS Pre-Order
HTML5 Validation and iFrame frame...
The Egg
The Physics of Light and Time Tra...

Previously ...
Intention vs Expectation
Mystery DLL Strikes Again
NvRaser.dll - Mystery File ...
Quantum Pajamas
The Move Towards Individual Sover...
The Origin of Consciousness
Miracle Food Recipe? Space Syrup
Why You Are So Important
Stubborn Theology
Strict Science

Blogging (2)
Clarifications (2)
Computing (2)
Encouragement (1)
Food (1)
Gadgetry (3)
Health (2)
Internet Marketing (1)
Life (6)
Philosophy (11)
Recipes (1)
Science (3)
Software Dev (2)
Television (2)
Travel (7)

September 2011
January 2011
September 2010
August 2010
June 2010
May 2010
March 2009
February 2009
July 2008
March 2008
November 2007
October 2007

Eckhart Tolle
The Library of Halexandria

Twitter Updates

    Copyright © 2017 TheFreedomWriter.com